This aroused criticism in the environment of Ethereum and the rest of the cryptocurrency projects. Most believe that it was not an attack since everything occurred within the rules of the platform.
It was recently reported that the decentralized finance (DeFi) platform bZx, which runs on the Ethereum blockchain, lost about USD 1,000,000. It suffered a total of two attacks in a span of just 4 days, with losses amounting to over 3,500 ethers (ETH).
Even though the event occurred due to premeditated, and obviously planned, actions by a user, the community has insisted on criticizing the possibility that such attacks occur, rather than the attack itself. Particularly, the general consideration is that, beyond the attacker’s premeditation, everything was done within the rules established in the various platforms on which it operated.
Last February 14th, a user requested a flash or instant loan, through the DeFi dYdX platform for a total of 10,000 ETH. With more than half of those funds, he requested a loan of 112 wBTC with collateral in ETH through Compound. Then, he opened a position of about 1,300 ETH in Fulcrum and then converted more than 5,600 ETH into wBTC through Uniswap.
According to the bZx report, that last move resulted in a significant increase in the value of wBTC. The attacker took advantage of that situation, changing the 112 wBTC obtained through Compound for more than 6,870 ETH, with a total of 1,193 ETH of profits (equivalent to about USD 300,000), after repaying the loans.
The second attack, although not conducted in exactly the same way, consisted of a fairly similar mechanism and left the attacker with a favorable balance equivalent to around USD 640,000 in ethers.
What Happened Exactly
Among the most repeated views is the consideration that the attacker only took advantage of a failing mechanism, manipulating its operation without breaking its own rules. Some have even joked about the opportunity to commit sophisticated robberies like this, taking advantage of DeFi platform systems.
Developer Santiago Palladino, who is part of the OpenZeppelin team, explained in a thread published on Twitter that what happened not only did not break the mechanism of instant loans offered by bZx, but that this product precisely serves for such operations.
He summarizes the possibility to receive loans without collateral as a never seen opportunity. Palladino explains that these types of loans allow users to conduct financial operations as arbitration, without an initial investment. In other words, it is not necessary to have any money to receive more money.
For his part, Alex Svanevik, Founder of The Data Science DAO, assessed that risk does not only exist in bZx, but that it is a general problem with DeFi platforms. This happens especially due to the possibility that in a single address is accumulated up to one half of the liquidity of one of those platforms.
The lack of liquidity that allows the manipulation of the price by a user is one of the most commented circumstances around this case. In particular, it is questioned that a platform uses a single reference to determine the price of an asset, as occurred in bZx.
Developer Julien Bouteloup, from the firm Stake Capital, went a little further by stating that it was impossible to consider what happened as an attack, especially after he had “repeatedly” warned that the platform’s funds were not safe. However, Bouteloup said that bZx considers it to be false.
By Alexander Salazar